Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
24-04-2024 01:31
General
-
Target
PI88009454 007865EQ.exe
-
Size
672KB
-
MD5
c3cf30f78c7564162412228388adb129
-
SHA1
e7e3ea2f0f077d7e581c91f983b44d578355620d
-
SHA256
f8bb3c7c28ad6279b257469ae7e4c3e1952f50588894305ae473652add17a136
-
SHA512
9ed98d8f904247992a53b8aa929ecde95b8a4ff6fe938cf8181884de0eea8d719da69eacb74892a9dc79b4c8b2e2ed0b9d95706e967af4dc4547f00d52e364bb
-
SSDEEP
12288:PZy9zrtb7BBj6EceQ9A0Q9iuFMiE8I2QrhhZQzigN+OdYVsZlN/:BeXt3B16XeQ9A/nE8IlWGgN+C5
Malware Config
Extracted
Protocol: ftp- Host:
ftp.klptruck.hu - Port:
21 - Username:
[email protected] - Password:
kCu}[Z7z+)S[
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.klptruck.hu - Port:
21 - Username:
[email protected] - Password:
kCu}[Z7z+)S[
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI88009454 007865EQ.exe"C:\Users\Admin\AppData\Local\Temp\PI88009454 007865EQ.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4292-0-0x0000000074B80000-0x0000000075330000-memory.dmpFilesize
7.7MB
-
memory/4292-1-0x00000000002B0000-0x000000000035E000-memory.dmpFilesize
696KB
-
memory/4292-2-0x0000000005310000-0x00000000058B4000-memory.dmpFilesize
5.6MB
-
memory/4292-3-0x0000000004D60000-0x0000000004DF2000-memory.dmpFilesize
584KB
-
memory/4292-4-0x0000000004F80000-0x00000000052D4000-memory.dmpFilesize
3.3MB
-
memory/4292-5-0x0000000004F70000-0x0000000004F80000-memory.dmpFilesize
64KB
-
memory/4292-6-0x0000000004F00000-0x0000000004F0A000-memory.dmpFilesize
40KB
-
memory/4292-7-0x0000000006730000-0x00000000067D0000-memory.dmpFilesize
640KB
-
memory/4292-8-0x0000000007B30000-0x0000000007B48000-memory.dmpFilesize
96KB
-
memory/4292-9-0x0000000074B80000-0x0000000075330000-memory.dmpFilesize
7.7MB
-
memory/4292-10-0x0000000007B50000-0x0000000007B5E000-memory.dmpFilesize
56KB
-
memory/4292-11-0x0000000007B60000-0x0000000007B74000-memory.dmpFilesize
80KB
-
memory/4292-12-0x00000000025C0000-0x0000000002644000-memory.dmpFilesize
528KB
-
memory/4292-13-0x000000000A310000-0x000000000A3AC000-memory.dmpFilesize
624KB
-
memory/4292-14-0x000000000A2B0000-0x000000000A2F2000-memory.dmpFilesize
264KB
-
memory/4292-15-0x000000000D6E0000-0x000000000D746000-memory.dmpFilesize
408KB
-
memory/4292-16-0x0000000004F70000-0x0000000004F80000-memory.dmpFilesize
64KB
-
memory/4292-17-0x0000000007D20000-0x0000000007D70000-memory.dmpFilesize
320KB